From 7e13b54cde944b15e2c48759b9e18e82d172b40f Mon Sep 17 00:00:00 2001
From: Benjamin Mako Hill <mako@atdot.cc>
Date: Tue, 9 Jun 2020 16:04:15 -0700
Subject: [PATCH] initial version of the CDSC version of scripts

---
 README-CDSC                    |  64 ++++++++++++++
 README.md => README-GP-SAML.md |   0
 hipreport-modified.sh          | 150 +++++++++++++++++++++++++++++++++
 openconnect_command-general.sh |  10 +++
 openconnect_command-ssh.sh     |  15 ++++
 ssh-vpn-proxy                  |  28 ++++++
 6 files changed, 267 insertions(+)
 create mode 100644 README-CDSC
 rename README.md => README-GP-SAML.md (100%)
 create mode 100755 hipreport-modified.sh
 create mode 100755 openconnect_command-general.sh
 create mode 100755 openconnect_command-ssh.sh
 create mode 100755 ssh-vpn-proxy

diff --git a/README-CDSC b/README-CDSC
new file mode 100644
index 0000000..1bac37c
--- /dev/null
+++ b/README-CDSC
@@ -0,0 +1,64 @@
+===========================
+== INSTALLATION ===========
+===========================
+
+1.
+
+Install prerequisites. This will include:
+
+sudo apt install python3-gi gir1.2-gtk-3.0 gir1.2-webkit2-4.0
+
+2.
+
+Install this directory into: ~/bin/nu-vpn-proxy
+
+3.
+
+Change your System UUID. You can get this with command:
+
+  sudo dmidecode|grep UUID
+
+You should see a line like:
+
+  UUID: deadbeef-dead-beef-dead-beefdeadbeef
+
+Edit the file hipreport-modified.sh to change the variable HOSTID so that it is
+equal to this number. Change the line that says
+"deadbeef-dead-beef-dead-beefdeadbeaf" so that it lists your UUID.
+
+4. [optional]
+
+Change bmh1867 to your username and add the following stanza text to your
+~/.ssh/config:
+
+Host kibo kibo.soc.northwestern.edu
+    Hostname kibo.soc.northwestern.edu
+    User bmh1867
+    ProxyCommand ~/bin/nu-vpn-proxy/ssh-vpn-proxy %h %p
+    ForwardAgent yes
+    ServerAliveInterval 120
+
+===========================
+== USAGE ==================
+===========================
+
+There are two ways to use this.
+
+1. *Only* for SSH connections to kibo.
+
+This should be just as simple as running:
+
+  ssh-kibo
+
+You can run the command mulptiple time and it should work. When you close the
+first connection though, it will disconnect all of your connections.
+
+2. Your entire connection.
+
+Run the following command:
+
+  ~/bin/openconnect_command-general.sh 
+
+While this command is running, you should be connected through the VPN. Run
+Ctrl-C to disconnect.
+
diff --git a/README.md b/README-GP-SAML.md
similarity index 100%
rename from README.md
rename to README-GP-SAML.md
diff --git a/hipreport-modified.sh b/hipreport-modified.sh
new file mode 100755
index 0000000..5f280de
--- /dev/null
+++ b/hipreport-modified.sh
@@ -0,0 +1,150 @@
+#!/bin/sh
+
+# openconnect will call this script with the follow command-line
+# arguments, which are needed to populate the contents of the
+# HIP report:
+#
+#   --cookie: a URL-encoded string, as output by openconnect
+#             --authenticate --protocol=gp, which includes parameters
+#             from the /ssl-vpn/login.esp response
+#
+#   --client-ip{,v6}: IPv4/6 addresses allocated by the GlobalProtect
+#                     VPN for this client (included in
+#                     /ssl-vpn/getconfig.esp response)
+#
+#   --md5: The md5 digest to encode into this HIP report. I'm not sure
+#          exactly what this is the md5 digest *of*, but all that
+#          really matters is that the value in the HIP report
+#          submission should match the value in the HIP report check.
+#
+# This hipreport.sh does not work as-is on Android. The large here-doc
+# (cat <<EOF) does not appear to work with Android's /system/bin/sh,
+# likely due to an insufficient read buffer size.
+# Try hipreport-android.sh instead.
+
+# Read command line arguments into variables
+COOKIE=
+IP=
+IPv6=
+MD5=
+
+while [ "$1" ]; do
+    if [ "$1" = "--cookie" ];      then shift; COOKIE="$1"; fi
+    if [ "$1" = "--client-ip" ];   then shift; IP="$1"; fi
+    if [ "$1" = "--client-ipv6" ]; then shift; IPV6="$1"; fi
+    if [ "$1" = "--md5" ];         then shift; MD5="$1"; fi
+    shift
+done
+
+if [ -z "$COOKIE" -o -z "$MD5" -o -z "$IP$IPV6" ]; then
+    echo "Parameters --cookie, --md5, and --client-ip and/or --client-ipv6 are required" >&2
+    exit 1;
+fi
+
+# Extract username and domain and computer from cookie
+USER=$(echo "$COOKIE" | sed -rn 's/(.+&|^)user=([^&]+)(&.+|$)/\2/p')
+DOMAIN=$(echo "$COOKIE" | sed -rn 's/(.+&|^)domain=([^&]+)(&.+|$)/\2/p')
+COMPUTER=$(echo "$COOKIE" | sed -rn 's/(.+&|^)computer=([^&]+)(&.+|$)/\2/p')
+
+# Timestamp in the format expected by GlobalProtect server
+NOW=$(date +'%m/%d/%Y %H:%M:%S')
+DAY=$(date +'%d')
+MONTH=$(date +'%m')
+YEAR=$(date +'%Y')
+
+# This value may need to be extracted from the official HIP report, if a made-up value is not accepted.
+HOSTID="deadbeef-dead-beef-dead-beefdeadbeef"
+
+cat <<EOF
+
+<?xml version="1.0" encoding="UTF-8"?>
+<hip-report>
+    <md5-sum>$MD5</md5-sum>
+    <user-name>$USER</user-name>
+    <domain>$USER</domain>
+    <host-name>$COMPUTER</host-name>
+    <host-id>$HOSTID</host-id>
+    <ip-address>$IP</ip-address>
+    <ipv6-address>$IPV6</ipv6-address>
+	<generate-time>$NOW</generate-time>
+	<categories>
+		<entry name="host-info">
+			<client-version>5.1.0-101</client-version>
+			<os>Linux 4.19.0-6-amd64</os>
+			<os-vendor>Linux</os-vendor>
+			<domain>domain.com</domain>
+			<host-name>spes</host-name>
+			<host-id>d6f838cc-2b6f-11b2-a85c-d7bcda6b231e</host-id>
+			<network-interface>
+				<entry name="pan1">
+					<description>pan1</description>
+					<mac-address>42:4e:62:fe:ef:87</mac-address>
+					<ip-address>
+						<entry name="$IP"/>
+					</ip-address>
+					<ipv6-address>
+						<entry name="$IPV6"/>
+					</ipv6-address>
+				</entry>
+			</network-interface>
+		</entry>
+	</categories>
+</hip-report><?xml version="1.0" encoding="UTF-8"?>
+<hip-report>
+    <md5-sum>$MD5</md5-sum>
+    <user-name>$USER</user-name>
+    <domain>$USER</domain>
+    <host-name>$COMPUTER</host-name>
+    <host-id>$HOSTID</host-id>
+    <ip-address>$IP</ip-address>
+    <ipv6-address>$IPV6</ipv6-address>
+	<generate-time>$NOW</generate-time>
+	<hip-report-version>4</hip-report-version>
+	<categories>
+		<entry name="host-info">
+			<client-version>5.1.0-101</client-version>
+			<os>Linux 4.19.0-6-amd64</os>
+			<os-vendor>Linux</os-vendor>
+			<domain>domain.com</domain>
+			<host-name>spes</host-name>
+			<host-id>d6f838cc-2b6f-11b2-a85c-d7bcda6b231e</host-id>
+			<network-interface>
+				<entry name="pan1">
+					<description>pan1</description>
+					<mac-address>42:4e:62:fe:ef:87</mac-address>
+					<ip-address>
+						<entry name="$IP"/>
+					</ip-address>
+					<ipv6-address>
+						<entry name="$IPV6"/>
+					</ipv6-address>
+				</entry>
+			</network-interface>
+		</entry>
+		<entry name="anti-malware">
+			<list>
+			</list>
+		</entry>
+		<entry name="disk-backup">
+			<list>
+			</list>
+		</entry>
+		<entry name="disk-encryption">
+			<list>
+			</list>
+		</entry>
+		<entry name="firewall">
+			<list>
+			</list>
+		</entry>
+		<entry name="patch-management">
+			<list>
+			</list>
+		</entry>
+		<entry name="data-loss-prevention">
+			<list>
+			</list>
+		</entry>
+	</categories>
+</hip-report>
+EOF
diff --git a/openconnect_command-general.sh b/openconnect_command-general.sh
new file mode 100755
index 0000000..11d7dab
--- /dev/null
+++ b/openconnect_command-general.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# change to the vpn file directory
+cd ~/bin/nu-vpn-proxy
+
+## do the authentication
+eval $( ./gp-saml-gui.py -v --clientos=Linux vpn-connect2.northwestern.edu ) 
+
+echo "$COOKIE" | sudo openconnect --useragent="PAN GlobalConnect" --version-string='5.1.0-101' --protocol=gp -u "$USER" --os="$OS" --passwd-on-stdin "$HOST" --csd-wrapper="hipreport-modified.sh" --reconnect-timeout 60
+
diff --git a/openconnect_command-ssh.sh b/openconnect_command-ssh.sh
new file mode 100755
index 0000000..09f2181
--- /dev/null
+++ b/openconnect_command-ssh.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+LOG_FILE=/tmp/nu-globalprotect-saml.log
+PID_FILE=/tmp/nu-vpn-openconnect.pid
+
+exec > $LOG_FILE
+
+# change to the vpn file directory
+cd ~/bin/nu-vpn-proxy
+
+## do the authentication
+eval $( ./gp-saml-gui.py -v --clientos=Linux vpn-connect2.northwestern.edu ) 
+
+echo "$COOKIE" | openconnect --useragent="PAN GlobalConnect" --version-string='5.1.0-101' --protocol=gp -u "$USER" --os="$OS" --passwd-on-stdin "$HOST" --csd-wrapper="hipreport-modified.sh" --reconnect-timeout 60 --script-tun --script "ocproxy -D 9052" -b --pid-file "${PID_FILE}"
+
diff --git a/ssh-vpn-proxy b/ssh-vpn-proxy
new file mode 100755
index 0000000..3548b40
--- /dev/null
+++ b/ssh-vpn-proxy
@@ -0,0 +1,28 @@
+#!/bin/bash 
+
+SEARCH_PATTERN="ESP tunnel connected; exiting HTTPS mainloop."
+
+# connects to SSH through openconnect and VPN
+# for use with ProxyCommand in SSH
+
+
+# first run openconnect
+/sbin/start-stop-daemon --pidfile /tmp/nu-vpn-openconnect.pid -S --startas "$HOME/bin/nu-vpn-proxy/openconnect_command-ssh.sh" &  
+sleep 2
+
+# kill connection on exit
+function cleanup {
+  /sbin/start-stop-daemon --stop --pidfile /tmp/nu-vpn-openconnect.pid
+}
+trap cleanup EXIT
+
+tail -f /tmp/nu-globalprotect-saml.log | grep -qe "${SEARCH_PATTERN}"
+
+if [ $? == 1 ]; then
+    echo "Search terminated without finding the pattern"
+    exit
+fi
+
+# redirect traffic (standard input and output) through VPN
+/bin/nc.openbsd -X 5 -x 127.0.0.1:9052 $1 $2
+
-- 
2.39.5